Privacy Policy

We collect the following categories of information:

• Account information: Your GitHub username, email address, and profile image when you sign in via GitHub OAuth.
• Repository data: Repository names, installation IDs, and configuration for repos where you install Comments on Code.
• Code diffs:Pull request diffs are temporarily processed for review. Code diffs are sent to Anthropic's Claude API for analysis and are not stored after review.
• Usage data: Review counts, comment counts, and aggregate statistics for your dashboard.
• Payment information: Billing is handled by Stripe. We store your Stripe customer ID but never store credit card numbers or payment details directly.

We use your information to:

• Provide and operate the code review service
• Authenticate your identity and manage your account
• Process pull request diffs and generate review comments
• Display usage statistics and review history on your dashboard
• Process payments and manage subscriptions
• Send important service notifications (security, billing, outages)
• Improve the Service and fix bugs

We do not sell your personal information. We share data only with the following third parties, solely to operate the Service:

• Anthropic (Claude API): Code diffs are sent to Anthropic for AI analysis. Anthropic's API does not retain input data for model training. See Anthropic's Privacy Policy.
• Stripe: Payment processing. See Stripe's Privacy Policy.
• GitHub / GitLab: We interact with these platforms via their APIs to fetch diffs and post review comments on your behalf.
• Vercel: Hosting and serverless infrastructure. See Vercel's Privacy Policy.
• Neon: Database hosting. See Neon's Privacy Policy.

We implement industry-standard security measures to protect your data:

• All connections use TLS 1.3 encryption
• Webhook payloads are verified via HMAC-SHA256 signatures
• Secrets and tokens are stripped from code diffs before and after AI analysis
• Database access is encrypted and scoped per user
• OAuth tokens are stored encrypted and never exposed to the client

• Code diffs: Not stored. Processed in memory and discarded after review.
• Review metadata: PR title, review status, file count, and comment count are retained for your dashboard and analytics.
• Account data: Retained until you delete your account.
• Webhook logs: Retained for 30 days for debugging, then automatically deleted.

Under GDPR, CCPA, and other applicable privacy laws, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and all associated data. Use the account deletion feature in your dashboard or contact us.
• Portability: Request an export of your data in a machine-readable format.
• Opt-out: We do not sell personal information. California residents may exercise their right to opt out under the CCPA.

To exercise any of these rights, contact us at privacy@commentsoncode.com. We will respond within 30 days.

We use only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. The session cookie is set by NextAuth and is required for the dashboard to function.

The Service integrates with third-party services. Each has its own privacy policy:

• Anthropic Claude API — AI code analysis (diffs not retained by Anthropic)
• Stripe — Payment processing
• GitHub / GitLab — Source code platform integration
• Vercel — Application hosting
• Neon — PostgreSQL database hosting

The Service is not intended for users under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.